Michael Schwendt wrote:
A signing-server doesn't fix everything. It may help with the security implications of giving away the key password as was done for Extras. But hoping for much more frequent or automated pushes of non-critical updates would be insane.
Well, one of the things I was hoping to have come out of my initial message was some transparency. It's useful to know that, for example, frequent pushes of updates is a problem for mirrors.
It would be most valuable to have something like the package update wiki page updated with a list of "here's what to expect, and why, once you submit an update request", because right now information like the above isn't captured anywhere that I can find. Not having any idea what to expect is no fun.
<b